rdiffweb

Valid

Reported on

Dec 21st 2022

Description

When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails through this vulnerability which will add up to your cost as well

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 
2) Click on enable 2FA  . A verification link will be sent to your email
3) You will see a "Resend code to my email button" click on it and capture the request using the burpsuite proxy
4) Send this request to your burpsuite intuder and fire the same payload 1000 times
5) The registered email will receive 1000 email with verification codes



# Impact

An attacker can abuse this bug by :
1)Causing an impact to the user - Scenario: The user left his account open in a library , he can perform the above steps to cause an email spam
2) Adding an extra cost to the company mail server

#Please note: The previous rate limit bug was intended for /mfa endpoint and this particular report points to /prefs/mfa endpoint

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 19 days ago

Nehal Pillai

commented 19 days ago

Researcher

POC video : https://drive.google.com/file/d/1L5mZJ7WvtCZEw0MQBEjtxMYSCkpL923i/view?usp=sharing

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 18 days ago

Patrik Dufresne validated this vulnerability 18 days ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nehal Pillai

commented 18 days ago

Researcher

Hello sir ,

Thank you for validating this issue.

I have found this same bug through an application logic error as well.

On entering a wrong code more than 3 times , the application automatically sends/triggers a new code to the users email address.

Using this logic , if an attacker is able to provide 100000 wrong attempts, automatically on every third attempt a new email will generate and this will again cause an email flood attack.

Should I create another report demonstrating that issue?

Patrik Dufresne

commented 18 days ago

Maintainer

Hello Nehal,

I've deploy a possible fix for this vulnerability in Rdiffweb Dev.

Regarding

Using this logic , if an attacker is able to provide 100000 wrong attempts, automatically on every third attempt a new email will generate and this will again cause an email flood attack.

That is not true, since we have ratelimit on the /mfa and now of the /pref/mfa an attacker will not be able to send more then 20 email per hour (this is the default rate limit).

Nehal Pillai

commented 17 days ago

Researcher

That is true . I agree :)

Patrik Dufresne marked this as fixed in 2.5.5 with commit 6e9ee2 17 days ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Patrik Dufresne published this vulnerability 17 days ago

to join this conversation

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 19 days ago

Nehal Pillai

commented 19 days ago

Researcher

POC video : https://drive.google.com/file/d/1L5mZJ7WvtCZEw0MQBEjtxMYSCkpL923i/view?usp=sharing

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 18 days ago

Patrik Dufresne validated this vulnerability 18 days ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nehal Pillai

commented 18 days ago

Researcher

Hello sir ,

Thank you for validating this issue.

I have found this same bug through an application logic error as well.

On entering a wrong code more than 3 times , the application automatically sends/triggers a new code to the users email address.

Using this logic , if an attacker is able to provide 100000 wrong attempts, automatically on every third attempt a new email will generate and this will again cause an email flood attack.

Should I create another report demonstrating that issue?

Patrik Dufresne

commented 18 days ago

Maintainer

Hello Nehal,

I've deploy a possible fix for this vulnerability in Rdiffweb Dev.

Regarding

Using this logic , if an attacker is able to provide 100000 wrong attempts, automatically on every third attempt a new email will generate and this will again cause an email flood attack.

That is not true, since we have ratelimit on the /mfa and now of the /pref/mfa an attacker will not be able to send more then 20 email per hour (this is the default rate limit).

Nehal Pillai

commented 17 days ago

Researcher

That is true . I agree :)

Patrik Dufresne marked this as fixed in 2.5.5 with commit 6e9ee2 17 days ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Patrik Dufresne published this vulnerability 17 days ago

to join this conversation